A screenshot of the seized website.
A coalition of international law enforcement agencies have coordinated the takedown of the Genesis Market, an online criminal marketplace that advertised and sold packages of stolen credentials that threat actors use to compromise accounts in the financial sector, critical infrastructure and federal, state and local government agencies.
According to a news release from the U.S. Department of Justice, the Genesis Market’s website has been seized, and law enforcement is currently working to identity prolific users of the market who used those stolen access credentials to carry out cybercrimes. In addition, authorities have seized 11 domain names used to support Genesis Market’s infrastructure.
The DOJ says Genesis Market has since 2018 offered access to stolen data from over 1.5 million compromised devices around the world, containing over 80 million account access credentials. In addition to credentials, Genesis Market was “one of the most prolific initial access brokers” in the cybercrime world, authorities say, offering access often used by ransomware actors.
Authorities say the criminal marketplace was easy to use, giving users the ability to search for stolen credentials based on location and account type. The market also offered device fingerprints, unique combinaitons of device identifiers and browser cookies that circumvent anti-fraud detection systems used by many websites.
The combination of resources on Genesis Market allowed cybercriminals to essentially assume the identity of the victim, agencies say.
Cybersecurity company Trellix says it assisted in the investigation, helping law enforcement analyze and detect the malicious binaries linked to Genesis Market to render the market’s script and binaries useless.
In a blog, Trellix researchers say the market was the largest such resources for credentials, browser fingerprints and cookies. The market advertised on mostly Russian-speaking underground forums, and became a one-stop shop for account takeovers since its inception in 2018.
Genesis Market was largely used to target consumers, but Trellix says it has observed malicious detections across its enterprise sensors as well. The bulk of the malicious activity was detected in the Americas, with other activity in Europe and southeast Asia.
Genesis Market has also been linked to malware families used to infect victims and populate the store, and they include common info-stealers such as AZORult, Raccoon, Redline and DanaBot, Trellix researchers say.
Credentials contained on Genesis Market has been provided to Have I Been Pwned, allowing people and organizations to assess whether their credentials have been available on the dark web marketplace.
The FBI is asking users of Genesis Market, those who were in contact with Genesis Market administrators, or victims to contact the agency at [email protected]. In addition, Dutch Police have set up CheckYourHack to see if data was obtained and sold via the market.
Trellix also offers these recommendations for organizations and their IT and security administrators:
Train users in phishing and how to spot phishing – repeat training with test phishing emails for all users – users must be alert when it comes to links and attachments.
- Be very careful with password protected archives, as they will pass through most email scanning and web proxies.
- Check file extensions: a JPG, PDF or Document might not be what it looks like based on the icon! It can be an executable which disguises itself with its icon.
Implement web control and block access to any unknown/uncategorized websites.
Block or report any unknown application from communication to the/from the Internet – can be done by firewall solutions
Implement Adaptive Threat Protection (ATP) and configure Dynamic Application Containment (DAC) for unknown processes limiting what they can do.
Enable Exploit Prevention and enable signature for “Suspicious Double File Extension Execution” (Signature 413).
Protect session cookies with Exploit Prevention Expert rule.
Implement Expert rules which will trigger on any PowerShell or unknown / contained process accessing your session cookie?
- C:\Users\**\AppData\Local\Google\Chrome\User Data\Default\Network\**\*.*
- C:\Users\**\AppData\Roaming\Mozilla\Firefox\Profiles\**\*.*
- C:\Users\**\AppData\Local\Microsoft\Edge\User Data\Default\Network\**\*.*
Implement Endpoint Detection and Response. It could detect some of the techniques identified such as malicious use of web protocols, process injection and tool transfers.
Implement strong and deep email scanning.
Implement strong and deep web gateway and blocking of uncategorized web-sites and have a quick and trusted procedure to add more websites if needed.
Please apply the Identity and Access Management (IAM) best practices as outlined by CISA.
Review your current visibility and detection capability on credential theft and privilege abuse.
Read Trellix’s blog for more information, including indicators of compromise.
